Merge pull request GLEIF-IT#8 from 2byrds/signify-ts-debugging

Verification updates to properly consider issuer/issue based on Signify ts debugging

README.md

@@ -1,5 +1,5 @@
 # vlei-verifier
-A service to verify signatures created by AIDs using [KERI](https://keri.one).
+A service to verify cryptographic signatures and credentials created by AIDs and ACDCs using [KERI](https://keri.one).
 
 ## Architecture
 
@@ -15,44 +15,50 @@ kli init --name vdb --nopasscode --config-dir scripts --config-file verifier-con
 
 This requires a running vLEI server and KERI witness network.
 
-The service can be launched with:
+The service can be launched from the command-line with:
 
 ```
 verifier server start --config-dir scripts --config-file verifier-config.json
 ```
 
-### Webapp
-The web app (UI front-end) uses Signify/KERIA for selecting identifiers and credentials:
-
-See: [reg-pilot-webapp](https://github.com/GLEIF-IT/reg-poc-webapp)
+Or from docker-compose with:
 
-### Server
-Provides the ability to:
-* Log in using a vLEI ECR
-* Upload signed files
-* Check the status of an upload
+```
+docker-compose build --no-cache
+docker-compose down
+docker-compose up deps
+```
 
-See: [reg-pilot-server](https://github.com/GLEIF-IT/reg-poc-server)
+### API
 
-### Additional service
-* KERI Witness Network
-* vLEI server
-* KERI Agent
+#### Initial Authentication:
+Clients that wish to authenticate with this service should present a credential to the PUT `/presentations/{said}` API and
+then poll the GET `/authorizations/{aid}` until they get something other than a 404 or until they time out.
 
-## Registering an AID as a Valid Report Submitter
+#### Registering an AID as a Valid Report Submitter:
 For an AID to be registered as a valid report submitter it must use the `/presentations/{said}` API to present a valid
 vLEI ECR credential in the body of a PUT request with a content type of `application/json+cesr`.  The `said` in the URL
 is the SAID of the credential being presented in the body.  This API will return a 202 response code to indicate that 
 the credential presentation has been accepted but with no indication of the validity of the presentation.
 
-## Checking for Authorized AIDs
+#### Checking for Authorized AIDs:
 To check whether an AID has already submitted a valid vLEI ECR credential, a client will use the `/authorizations/{aid}`
 API where the `aid` must be the holder of an already successfully submitted vLEI ECR credential.   If the AID in the URL
 has never submitted a credential, this API will return a 404.  If the AID has submitted an invalid credential, this API 
 will return a 401.  If the AID has submitted a valid credential that is currently not revoked, this API will return a 200
 with a body that contains the AID and the SAID of the credential.
 
-# Initial Authentication
-Clients that wish to authenticate with this service should present a credential to the PUT `/presentations/{said}` API and
-then poll the GET `/authorizations/{aid}` until they get something other than a 404 or until they time out.
+## Peer projects
+### Webapp
+The web app (UI front-end) uses Signify/KERIA for selecting identifiers and credentials:
+
+See: [reg-pilot-webapp](https://github.com/GLEIF-IT/reg-pilot-webapp)
+
+### Server
+The server provides the business layer and abstracts the underlying verification, but for the most part acts as a pass-through that provides the ability to:
+* Log in using a vLEI ECR
+* Upload signed files
+* Check the status of an upload
+
+See: [reg-pilot-server](https://github.com/GLEIF-IT/reg-poc-server)
 

docker-compose.yml

@@ -56,9 +56,9 @@ services:
     image: alpine
     command: ['echo', 'Dependencies running']
     depends_on:
-        vlei-server:
-            condition: service_healthy
+        # vlei-server:
+        #     condition: service_healthy
         vlei-verifier:
             condition: service_healthy
-        witness-demo:
-            condition: service_healthy
+        # witness-demo:
+        #     condition: service_healthy

images/verifier.dockerfile

@@ -9,4 +9,4 @@ WORKDIR /usr/local/var/vlei-verifier/
 
 RUN pip install -r requirements.txt
 
-ENTRYPOINT ["verifier", "server", "start", "--config-dir", "scripts", "--config-file", "verifier-config.json"]
+ENTRYPOINT ["verifier", "server", "start", "--config-dir", "scripts", "--config-file", "verifier-config-docker.json"]

scripts/keri/cf/verifier-config-docker.json

@@ -0,0 +1,25 @@
+{
+  "dt": "2022-01-20T12:57:59.823350+00:00",
+  "iurls": [
+    "http://host.docker.internal:5642/oobi/BBilc4-L3tFUnfM_wJr4S4OJanAv_VmF_dJNN6vkf2Ha/controller",
+    "http://host.docker.internal:5643/oobi/BLskRTInXnMxWaGqcpSyMgo0nYbalW99cGZESrz3zapM/controller",
+    "http://host.docker.internal:5644/oobi/BIKKuvBwpmDVA4Ds-EpL5bt9OqPzWPja2LigFYZN2YfX/controller"
+  ],
+  "durls": [
+    "http://host.docker.internal:7723/oobi/EBNaNu-M9P5cgrnfl2Fvymy4E_jvxxyjb70PRtiANlJy",
+    "http://host.docker.internal:7723/oobi/EMhvwOlyEJ9kN4PrwCpr9Jsv7TxPhiYveZ0oP3lJzdEi",
+    "http://host.docker.internal:7723/oobi/EKA57bKBKxr_kN7iN5i7lMUxpMG-s19dRcmov1iDxz-E",
+    "http://host.docker.internal:7723/oobi/EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw",
+    "http://host.docker.internal:7723/oobi/ENPXp1vQzRF6JwIuS-mp2U8Uf1MoADoP_GqQ62VsDZWY",
+    "http://host.docker.internal:7723/oobi/EH6ekLjSr8V32WyFbGe1zXjTzFs9PkTYmupJ9H65O14g",
+    "http://host.docker.internal:7723/oobi/EBfdlu8R27Fbx-ehrqwImnK-8Cm79sqbAQ4MmvEAYqao"
+  ],
+  "LEIs": [
+    "984500E5DEFDBQ1O9038",
+    "984500AAFEB59DDC0E43",
+    "254900OPPU84GM83MG36",
+    "9845004CC7884BN85018",
+    "98450030F6X9EC7C8336",
+    "875500ELOZEL05BVXV37"
+  ]
+}

scripts/keri/cf/verifier-config.json

@@ -19,6 +19,7 @@
     "984500AAFEB59DDC0E43",
     "254900OPPU84GM83MG36",
     "9845004CC7884BN85018",
-    "98450030F6X9EC7C8336"
+    "98450030F6X9EC7C8336",
+    "875500ELOZEL05BVXV37"
   ]
 }

src/verifier/core/authorizing.py

@@ -22,6 +22,7 @@ class Schema:
     DES_ALIASES_SCHEMA="EN6Oh5XSD5_q2Hgu-aqpdfbVepdpYpFlgz6zvJL5b_r5"
     ECR_AUTH_SCHEMA = "EJOkgTilEMjPgrEr0yZDS_MScnI0pBb75tO54lvXugOy"
     ECR_SCHEMA = 'EHAuBf02w-FIH8yEVrD_qIkgr0uI_rDzZ-kTABmdmUFP'
+    ECR_SCHEMA_PROD = 'EEy9PkikFcANV1l7EHukCeXqrzT1hNZjGlUk7wuMO5jw'
     LEI_SCHEMA = "EHyKQS68x_oWy8_vNmYubA5Y0Tse4XMPFggMfoPoERaM"
     QVI_SCHEMA = "EFgnk_c08WmZGgv9_mpldibRuqFMTQN-rAgtD-TCOwbs"
 
@@ -105,8 +106,9 @@ def processPresentations(self):
                 self.vdb.iss.rem(keys=(said,))
                 creder = self.reger.creds.get(keys=(said,))
                 match creder.schema:
-                    case Schema.ECR_SCHEMA:
+                    case Schema.ECR_SCHEMA | Schema.ECR_SCHEMA_PROD:
                         self.processEcr(creder)
+                        break
                     case _:
                         print(f"invalid credential presentation, schema {creder.schema}")
 
@@ -122,10 +124,13 @@ def processEcr(self, creder):
 
         """
         if creder.issuer not in self.hby.kevers:
-            print(f"unknown presenter {creder.subject['i']}")
+            print(f"unknown issuer {creder.issuer}")
+            return
+
+        issuee = creder.attrib["i"]
+        if issuee not in self.hby.kevers:
+            print(f"unknown issuee {issuee}")
             return
-
-        kever = self.hby.kevers[creder.issuer]
 
         LEI = creder.attrib["LEI"]
         if LEI not in self.leis:
@@ -139,7 +144,7 @@ def processEcr(self, creder):
             return
 
         print("Successful authentication, storing user.")
-        self.vdb.accts.pin(keys=(kever.serder.pre,), val=coring.Saider(qb64=creder.said))
+        self.vdb.accts.pin(keys=(issuee,), val=coring.Saider(qb64=creder.said))
 
     def processRevocations(self):
         """ Loop over database of credential revocations.

tests/common.py

@@ -16,7 +16,8 @@
 from keri.vdr import credentialing, verifying, viring
 from keri.vdr.credentialing import Credentialer, proving
 
-LEI = "254900OPPU84GM83MG36"
+LEI1 = "254900OPPU84GM83MG36"
+LEI2 = "875500ELOZEL05BVXV37"
 
 # @pytest.fixture
 # def setup_habs():
@@ -325,7 +326,7 @@ def get_ecr_data():
         d="",
         personLegalName="Bank User",
         engagementContextRole="EBA Data Submitter",
-        LEI=f"{LEI}"
+        LEI=f"{LEI1}"
     )
 
 def get_ecr_cred(issuer, recipient, schema, registry, sedge):
@@ -364,7 +365,7 @@ def get_lei_cred(issuer, recipient, schema, registry, sedge):
 
     lei = dict(
         d="",
-        LEI=f"{LEI}"
+        LEI=f"{LEI1}"
     )
 
     _, sad = coring.Saider.saidify(sad=lei, label=coring.Saids.d)
@@ -395,7 +396,7 @@ def get_qvi_cred(issuer, recipient, schema, registry):
 
     qvi = dict(
         d="",
-        LEI=f"{LEI}"
+        LEI=f"{LEI1}"
     )
 
     _, sad = coring.Saider.saidify(sad=qvi, label=coring.Saids.d)

tests/conftest.py

@@ -31,8 +31,6 @@
     "wil:http": "http://127.0.0.1:5643/",
 }
 
-LEI = "254900OPPU84GM83MG36"
-
 @pytest.fixture()
 def mockHelpingNowUTC(monkeypatch):
     """

tests/core/test_verifying.py

@@ -108,7 +108,7 @@ def test_ecr(seeder):
 
         hby.kevers[hab.pre] = hab.kever
 
-        auth = Authorizer(hby, vdb, eccrdntler.rgy.reger, [LEI])
+        auth = Authorizer(hby, vdb, eccrdntler.rgy.reger, [LEI1])
         auth.processPresentations()
 
         result = client.simulate_get(f'/authorizations/{hab.pre}')
@@ -176,7 +176,7 @@ def test_ecr_missing(seeder):
 
         hby.kevers[hab.pre] = hab.kever
 
-        auth = Authorizer(hby, vdb, eacrdntler.rgy.reger, [LEI])
+        auth = Authorizer(hby, vdb, eacrdntler.rgy.reger, [LEI1])
         auth.processPresentations()
 
         result = client.simulate_get(f'/authorizations/{hab.pre}')

tests/integration/test_service.py

@@ -54,7 +54,7 @@ def test_service_ecr(seeder):
         httpServerDoer = http.ServerDoer(server=server)
         class testCf:
             def get():
-                return dict(LEIs=[f"{LEI}"])
+                return dict(LEIs=[f"{LEI1}",f"{LEI2}"])
         authDoers = authorizing.setup(hby, vdb=vdb, reger=eccrdntler.rgy.reger, cf=testCf)
 
         doers = authDoers + [httpServerDoer]